A critical new security vulnerability has been discovered in the popular RADIUS network authentication protocol, which is used by networks around the world to help users connect to their services (ie everything from broadband ISPs to VPNs , mobile operators and more) and thus can opt out of them. exposed to Man-in-the-Middle (MitM) style attacks.
Weakness, which is called BlastRADIUS from InkBridge Networks (FreeRadius), seems difficult to exploit. But its impact could still be significant if network operators and network administrators using RADIUS don’t patch their software and hardware to protect against the new threat.
NOTE: RADIUS may not be as obvious as protocols like HTTP (web) to end users, but it is a fundamental protocol that almost everyone uses at some level to access the Internet.
The vulnerability is said to stem from a thirty-year-old design flaw in the RADIUS protocol (ie, some Access-Request packets are not authenticated and have no integrity checks), and by exploiting this “allows an attacker to authenticate anyone on your local network“, which is obviously not good. Suffice it to say that it has been given a Common Vulnerability Score (CVSS) of 9 out of 10, which is extremely high.
However, in order for such an attack to succeed, the attacker must be able to modify the RADIUS packets between the RADIUS client and the server. But even if they did, such attacks would still be costly and likely “get a significant amount of cloud computing power to succeed” (catch – those with more resources may still consider it viable to do, such as if the objective is to steal credit card data for financial gain etc.).
Statement by FreeRadius
The attack is difficult because it is a man-in-the-middle attack, meaning that the attacker must be able to see and modify Access-Request packets. If the attacker can do this, then your network is already compromised.
Even better, the attack requires significant CPU resources to perform, e.g. $1000 of CPU power per packet being attacked, and the attack isn’t even guaranteed. There is also no publicly available exploit for running script kiddies. It is extremely unlikely that anyone other than nation-states would have the ability to launch an attack at this time.
However, if you are running PAP / CHAP / MS-CHAP and RADIUS/UDP on the Internet, then your users have likely been compromised for decades. We can’t say more about it.
To fully protect your systems from attack, you must update all RADIUS servers and all RADIUS clients. The attack relies on a design flaw in the protocol. Fixing it requires updating all RADIUS implementations to the new behavior. In many cases, you don’t need to panic and upgrade everything at once. See below for more details.
Even considering the limited nature of the attack, everyone should plan to install all firmware updates for every NAS device (including switches, routers, firewalls, VPN hubs, etc.) that uses RADIUS. The important thing in the short term is to upgrade your RADIUS servers, determine if your network is still vulnerable, and then take action to address those vulnerabilities.
Currently there is only a proof of concept exploit for this that has been developed by researchers and the exploit itself is not yet publicly available. Credits to Thinkbroadband for dictation.
NOTE: Systems NOT considered vulnerable to this include 802.1x, IPSec, TLS, Eduroam, and OpenRoaming. But those considered vulnerable include PAP, CHAP, MS-CHAPv2, and other non-EAP authentication methods.